Basic Iptables issue

Support for security such as Firewalls and securing linux
michaelnel
Posts: 1478
Joined: 2006/05/29 16:50:11
Location: San Francisco, CA

Re: Basic Iptables issue

Post by michaelnel » 2007/04/25 22:25:10

I wouldn't do it from the command line.

It's been so long since I did it that way I no longer remember the right way, and I am not interested in researching it.

But I assure you, if you learn the right way (I suggest the Novell Press book "Linux Firewalls Third Edition"), then it absolutely DOES work.

After all, the /etc/init.d/iptables script basically does it from the command line... it's just a script.

Firebar
Posts: 14
Joined: 2006/04/14 08:01:35

Re: Basic Iptables issue

Post by Firebar » 2007/04/25 22:33:35

Ok. I think I found what was causing the main problems though. I was ommitting a rule which dealt with approved/ok'ed incoming tcp connections, so;

iptables -A INPUT -m state --state RELATEd,ESTABLISHED -j ACCEPT

This was causing my ssh and http services to be unreachable. I'm presuming this is because these are services actively listening on ports and therefore already initiating connections?!

Thanks for your help :)

User avatar
WhatsHisName
Posts: 1544
Joined: 2005/12/19 20:21:43
Location: /earth/usa/nj

Re: Basic Iptables issue

Post by WhatsHisName » 2007/04/26 00:02:43

[quote]...what command would you use to add in a ruleset to open port 1234 then save and restart iptables - and have it work...[/quote]

It’s probably a good idea to start by deleting /etc/sysconfig/iptables to remove the RH-Firewall-1-INPUT chain:

[code]# [b]/sbin/iptables -F[/b]

# [b]/sbin/iptables -L[/b]

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[b]Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination[/b]

# [b]rm /etc/sysconfig/iptables[/b]

# [b]/etc/init.d/iptables restart[/b]

# [b]/sbin/iptables -L[/b]

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination[/code]
Now with the RH-Firewall-1-INPUT chain removed, you can add rules:

[code]
# [b]/sbin/iptables -A FORWARD -j DROP[/b]
# [b]/sbin/iptables -A OUTPUT -j ACCEPT[/b]
# [b]/sbin/iptables -A INPUT -i lo -j ACCEPT[/b]
# [b]/sbin/iptables -A INPUT -p icmp --icmp-type any -j ACCEPT[/b]
# [b]/sbin/iptables -A INPUT -p 50 -j ACCEPT[/b]
# [b]/sbin/iptables -A INPUT -p 51 -j ACCEPT[/b]
# [b]/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT[/b]
# [b]/sbin/iptables -A INPUT -m state --state NEW -s 192.168.11.0/24 -j ACCEPT[/b]
# [b]/sbin/iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited[/b]

# [b]/sbin/iptables -L[/b]

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 192.168.11.0/24 anywhere state NEW
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

# [b]/etc/init.d/iptables save[/b]

# [b]cat /etc/sysconfig/iptables[/b]

# Generated by iptables-save v1.3.5 on Wed Apr 25 20:10:36 2007
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.11.0/255.255.255.0 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Wed Apr 25 20:10:36 2007[/code]
P.S. I’m like michaelnel: I edit /etc/sysconfig/iptables and restart the iptables service.

Post Reply

Return to “CentOS 4 - Security Support”